Federating non-web services with LDAP-Façade

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

MyProxy Jim Basney Senior Research Scientist NCSA

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Researcher ID September Presented by Terry Smith - AAF Technical Manager.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

SAML to LDAP bridging developments Marcus Hardt Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.

A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.

Project Moonshot Daniel Kouřil EGI Technical Forum

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Using Your Own Authentication System with ArcGIS Online

The EGI AAI “CheckIn” Service

Open OnDemand: Open Source General Purpose HPC Portal

EGI Updates Check-in Matthew Viljoen – EGI Foundation

Federation made simple

eduTEAMS platform for collaboration Niels Van Dijk

eduTEAMS – Current status & Future Plans

CAS and Web Single Sign-on at UConn

Identity Federations - Overview

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

John O’Keefe Director of Academic Technology & Network Services

Christos Kanellopoulos

CheckIn: the AAI platform for EGI

Umbrella authentication

ESA Single Sign On (SSO) and Federated Identity Management

Leveraging the IGTF authentication fabric for research

Leveraging the IGTF authentication fabric for research

AARC Blueprint Architecture and Pilots

Integrating non web-based services with identity federations

User Registration.

Community AAI with Check-In

FEUDAL Uros Stevanovic Federated User Credential Deployment Portal SA1

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

The OpenAthens Admin Dashboard provides a high-level snapshot of account activity and resource usage, along with shortcuts to other areas of the Admin.

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Federating non-web services with LDAP-Façade Arsen.Hayrapetyan@kit.edu

What is LDAP-Façade A solution developed by KIT which enables non web-based services to join SAML-based federations Combines SAML logic and LDAP directory interface Appears to be a local LDAP directory to the service Appears to be a SP to the SAML federation LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

ECP: Enhanced Client and Enhanced Proxy SP as an enhanced proxy Service client as an enhanced client SP as an enhanced proxy Service client as an enhanced client Courtesy of J. Köhler, M. Simon, M. Nussbaumer, H. Hartenstein LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

User registration with the service Registration is web-based, using SAML Web-SSO profile A local account is established for the user upon the registration Contains service-specific info: UID, home dir, etc. Allows user to accept the policies of the SP User logs into LDF with her home IdP account User clicks on the service registration link. User accepts the policies of the SP The SAML assertion released to the LDF during the login is used to authenticate the user and fill in the attributes for the local account LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

SSH example (enhanced proxy case) 6. AuthN OK, user attrs SSH server PAM LDAP authN 1. username, pwd LDF ------ Apache DS ========== Reg-App (SAML SP logic) 2. LDAP authN for the user, pwd forwarded to LDF 3. HTTPS IdP 4. Login with user’s creds 5. SAML assertion 7. User logged in LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

SSH example (enhanced client case) 6. AuthN OK, user attrs SSH server PAM LDAP authN 1. username, pwd LDF ------ Apache DS ========== Reg-App (SAML SP logic) 4. LDAP authN for the user, SAML assertion forwarded to LDF 5. HTTPS IdP 3. SAML assertion wrapped in the password 2. SAML assertion 7. User logged in LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

SSH example (enhanced client case) Strategies of passing the SAML assertion to the service provider’s server Wrapping into the password Limitations URL to the assertion to be downloaded by the LDF LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

Demonstrations SSH with Home Organisation password forwarding to the SSH server SSH without Home Organisation password forwarding to the SSH server LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

Current usage Approx. 17600 users 13755 active users of bwSync&Share 1020 users of bwUniCluster, 1007 users of bwFileStorage Production LDF servers at KIT, Ulm University Member of DFN-AAI Pre-production LDF server in Mannheim Test LDF servers in Esslingen, Tübingen, Freiburg (last two will go into production) LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

The roadmap 12/2015 Public prototype for DFN + eduGAIN SAML-Token support 03/2016 Zero-Attribute requirements For simplified support of additional IdPs Support additional IdPs / federations e.g. Umbrella, B2ACCESS, ... 06/2016 OpenID Connect support Integration with globus grid-security-infrastructure i.e. grid-FTP to use LDAP-Facade for (UID, [GID]) 12/2016 Support for 3rd party group membership (e.g. via Attribute Authorities) e.g. Unity (B2ACCESS), VOMS-SAML, ... LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

References J. Köhler, M. Simon, M. Nussbaumer, H. Hartenstein: Federating HPC access via SAML: Towards a plug-and-play solution. International Supercomputing Conference, Leipizig, Germany, June 2013 LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna

Thank you! LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna